How to stop renewing a letsencrypt/certbot certificate?
Solution 1
With certbot, you can simply use:
certbot delete --cert-name mywebsite.com
This removes the certificate and all relevant files from your letsencrypt config directory.
Solution 2
The OP wants to delete the certificate in addition to stopping renewal, and that was covered by the other answers. However if you want to keep the certificate but discontinue future renewals (for example if you have switched to a different server, but are waiting for all the DNS changes to propagate), you can go into /etc/letsencrypt/renewal and rename example.com.conf to example.com.conf.disabled (or any other non-.conf name, or even delete it altogether:
/etc/letsencrypt/renewal/example.com.conf.disabled
You can verify it was disabled by running the following command, as noted in the other answer.
sudo certbot renew --dry-run
Lastly some have suggested elsewhere that one can simple put autorenew = False at the top of the /etc/letsencrypt/renewal/example.com.conf file, but that doesn't seem to work. (I would have replied to that post to give my feedback, but their forum cuts off comments after 30 days.)
After review I realize that much of this information is included in the other answer, but I wanted to clarify the steps needed for the separate use case of disabling renewal without deleting or disabling the certificate itself.
Solution 3
It doesn't seem like there is a command to formally "cancel" renewals at this time. However, I found a suggestion from this thread that seems to work.
I tried running the following command,
sudo find /etc/letsencrypt/ -name '*outdated.example.com*'
and only found one file in each the live/, archive/ and renewal/ directory.
I also tried running,
sudo grep -r /etc/letsencrypt/ -e 'outdated.example.com'
and only found references to the outdated domain in one file in the renewal/ directory (which was renewal/outdated.example.com.conf).
I ran letsencrypt renew and it listed outdated.example.com in the output.
I then created a directory _renewal_disabled and moved renewal/outdated.example.com.conf to that directory.
I ran letsencrypt renew again, and it no longer listed outdated.example.com in the output.
From this I can assume that I've "disabled" renewal of the certificate.
Solution 4
updated
Please see answer https://stackoverflow.com/a/47372583/1426788
A newer version of certbot supports deleting certs via the CLI
old answer
To remove a domain from your certbot renewals, you can remove or move (safer) the bad domain cert files and run certbot renew --dry-run to ensure that you have removed the outdated / invalid configuration.
rm -rf /etc/letsencrypt/live/${BAD_DOMAIN}/
rm -f /etc/letsencrypt/renewal/${BAD_DOMAIN}.conf
certbot renew --dry-run
If that works, you can continue your renewals without --dry-run for future updates.
certbot renew
If you're running with something like nginx or some other server, don't forget to edit your configs so they are no longer pointing to invalid or removed certs.
Finally, restart or reload your server configs and you're done!
Jackson
Professional software developer and life-long computer enthusiast. Has JavaScript flowing out of his ears. Bash and LISP are also fun. Live free or die GNU/Linux. Graphical and typographical obsessor.
Updated on February 07, 2022Comments
-
Jackson over 2 years
There are lots of tutorials online of how to create and renew a certificate with letsencrypt, but I want to remove and stop renewing a certificate that I created (it was only created for testing purposes). How do I stop renewing one certificate originally obtained with the
letsencryptcommand (while still continuing to renew other certificates)?I don't see a single instance of anyone asking this question anywhere else, nor a command in
man letsencryptthat seems to do it.Currently I am renewing certificates with the following cron job:
30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log 35 2 * * 1 /bin/systemctl reload nginx